Share this post

Link to post

Share on other sites

...In order to help you, I am afraid we are going to need to see the Tracking URL, as described in the article "How-to Post a Question - Short" section labeled "The Details." This will allow us to see what the links looked like to the SpamCop parser, which determines whether and to whom to report links.

...Also highly recommended for your review is the SpamCop Forum (to which there are links near the top left of every SpamCop Forum page) article "SpamCop reporting of spamvertized sites - some philosophy."

Share this post

Link to post

Share on other sites

Actually I am not a technical person. Can you translate this into English?

Is the organization hosting the files being referenced in the spam being made aware of that?

For example, I have received a bunch of emails that are clearly PHISHING in nature. These messages refer to an email address where the receiver is instructed to send information so the sender can steal from them. Spamcop deals with the sender but not the "reply to" address listed in the fake job description. I reported these email addresses to the host of those email accounts and those domains were closed. spam and PHISHING messages have little value if the websites and email addresses are closed.

Share this post

Link to post

Share on other sites

Actually I am not a technical person. Can you translate this into English?

...Well, I'm not the world's most technical person, either, but here is how I'd interpret it (with respect to the first link the SpamCop parser found, http:/ /technologywhitepapers.e5t8.com/remo...3903d42a#nowrap):

SpamCop checked its recent archive of reports and did not find a reference with this link.

Resolves to 74.217.151.81

SpamCop looked up technologywhitepapers.e5t8.com in a translation table and found that the IP address for that domain is 74.217.151.81.

Routing details for 74.217.151.81

[refresh/show] Cached whois for 74.217.151.81 : abuse[at]internap.com

SpamCop looked up the e-mail address to which internet abuse, such as spam, should be reported for that IP address and discovered that the abuse e-mail address is abuse[at]internap.com.

Using abuse net on abuse[at]internap.com

abuse net internap.com = noc[at]internap.com

SpamCop looked up the abuse e-mail address to see if that is really the correct place to send a complaint and found that instead it should check for noc[at]internap.com.

Using best contacts noc[at]internap.com

SpamCop is going to look for the best e-mail address to use to contact noc[at]internap.com.

Reports disabled for noc[at]internap.com

SpamCop found a flag that indicates that for some reason it can not or should not report abuse to noc[at]internap.com. This might be for any of a number of reasons, for example because previous reports sent to noc[at]internap.com bounced with an error message or because someone at internap.com asked that reports not be sent.

Using noc#internap.com[at]devnull.spamcop.net for statistical tracking.

For future reference and for calculating the incidence of spamvertized links mentioning technologywhitepapers.e5t8.com, for whatever use it might make of such statistics, it is storing the information under the heading of "noc#internap.com[at]devnull.spamcop.net."

Is the organization hosting the files being referenced in the spam being made aware of that?

...Presumably not, because of the "Reports disabled for noc[at]internap.com" note.

For example, I have received a bunch of emails that are clearly PHISHING in nature. These messages refer to an email address where the receiver is instructed to send information so the sender can steal from them. Spamcop deals with the sender but not the "reply to" address listed in the fake job description. I reported these email addresses to the host of those email accounts and those domains were closed. spam and PHISHING messages have little value if the websites and email addresses are closed.

...As far as I can see, you are correct and have done the right thing in reporting the abuse to the host of the "reply-to" e-mail accounts. For what it's worth, I do the same thing for many of the spams I see, especially "419" scams.

It would need a member of the SC staff to provide any specific information about reports concerning the activity of e5t8.com (and they might prefer not to do that). I think it is a safe bet that the hosting InterNap Network is well aware that there are grounds for complaint about the abuse of their facilities however the e-mail you received goes some way towards demonstrating/pretending compliance with CAN-Ð…PAM provisions which perhaps allows InterNap to remain indifferent - or worse, perhaps to pass on complaint details to the spammer (Registrant) who shelters from the public through the WhoisGuard within the Registrar's domain records.

Domain Dossier shows there is no registered mail exchange for that domain. A service scan of e5t8.com (74.217.151.81) indicates an email service exists (SMTP - 25) with a response "220 malibu1.com (NO UCE) ESMTP IndiMail 1.152" which I note only for the sheer irony of the (NO UCE) part. malibu1.com won't pass on mail from just any old source though - "553 sorry, that domain isn't allowed to be relayed thru this MTA without authentication #5.7.1".

Agree it is best to close down phish "drop boxes" which is why the perpetrators work hard to make them bulletproof.

P.S. Oh, should add SC ignores "From:" and "Reply-to:" addresses in spam - got to be that those were mostly spoofed early in the history of spam. Not for some kinds of phish though (as in this case). Google.com is responsible for the return e-mail address in your case but SC won't send reports there, as explained. You can still get the abuse address through SC (entering just the e-mail address in the paste-in submission box in your members.spamcop.net page). Maybe you knew all that.